id,summary,reporter,owner,description,type,status,component,version,severity,resolution,keywords,cc,stage,has_patch,needs_docs,needs_tests,needs_better_patch,easy,ui_ux
3507,sessions race condition,jimmy@…,adrian,"Regarding this piece of code in django/contrib/sessions/models.py:
{{{
while 1:
session_key = md5.new(str(random.randint(0, sys.maxint - 1)) + str(random.randint(0, sys.maxint - 1)) + settings.SECRET_KEY).hexdigest()
try:
self.get(session_key=session_key)
except self.model.DoesNotExist:
break
return session_key
}}}
There is a very very small chance that a race condition exists between finding a uniq session, and saving it; which would result in one user ending up with a session owned by someone else. I know the chance is very small, but I do worry about it. Maybe it would be possible to also include remote_addr into the to be hashed string?
I also want to add that it would be nice to make a configuration option to make it impossible to use a session from another remote_addr. I might be to paranoid.",,closed,Contrib apps,master,,worksforme,sessions save,tom@…,Unreviewed,0,0,0,0,,